CVE-2018-19841

Published: 04 December 2018

The function WavpackVerifySingleBlock in open_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (out-of-bounds read and application crash) via a crafted WavPack Lossless Audio file, as demonstrated by wvunpack.

Priority

Medium

CVSS 3 base score: 5.5

Status

Package Release Status
wavpack
Launchpad, Ubuntu, Debian
Upstream
Released (5.1.0-5)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (5.1.0-2ubuntu1.2)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [code not present])
Patches:
Upstream: https://github.com/dbry/WavPack/commit/bba5389dc598a92bdf2b297c3ea34620b6679b5b